Sparse public information, a slow response to queries and confusing advice was the shared experience of members of a specialist panel in the aftermath of GDPR and how it had impacted their lives since it became law on 25 May, 2018.
Representatives of several businesses directly affected by the new data protection laws were brought together by South East Business magazine. Their experiences were varied, but they all agreed that not enough had been done to explain the implications of GDPR and what it meant to be compliant. Strongest criticism from the panel – which met at the offices of Kent Invicta Chamber of Commerce in Ashford – was reserved for the Information Commissioner’s Office (ICO), a government body which reports directly to Parliament and is sponsored by the Department for Digital, Culture, Media and Sport.
First off the blocks with her view was Sarah Bradshaw of Martin Environmental Services, who said she was not a newcomer to data protection, but had found the run-up to GDPR frustrating: “I come from a more IT background and I picked up GDPR responsibility within the company. There was a lack of information about it before it became law, particularly in how to apply it, and on some of the calls I made to the ICO I was given conflicting and confusing advice.”
Paul Shomeful of Annenke Solutions, who specialises in data protection for businesses, agreed the ICO had been “quite slow in producing relevant information for the public, which sent out the wrong message.” He said he was an unusual individual who found the prospect of GDPR “exciting” and he had been happy to help clients through the maze of regulations towards compliance.
Paul regarded GDPR as “a cultural change in business” and said the pain of the past few months would be worthwhile in the long run, with more companies keeping their valuable data secure from hackers.
Sophie Forrest of ForrestHR said: “The cost associated with GDPR compliance has not been consistent with some firms offering very basic support with off the shelf documents and then the other end of the scale being thousands of pounds, there was no middle ground. I felt there was a market here for professionals to fill this gap, which my colleague and I have endeavoured to do.”
An IT data protection specialist, director of J&J Systems Jacqueline Offen, was disappointed by the lack of interest from clients, who ranged from sole traders to multi-nationals. Jacqueline said that with more than 1,200 monitored users, not one client had asked in detail where her company held their data and she could not understand why they were so trusting about such a valuable commodity.
Jacqueline explained: “Fortunately, we made a decision seven years ago to keep the information we store on secure servers at our own site, long before the introduction of this act. It has proved a valuable decision.”
Chief executive of Invicta Chamber Jo James, who chaired the panel, admitted her first reaction on hearing about the impending GDPR was to ask “why do we need this?” However, the growing number of online frauds threatening businesses and experiencing the pain of having her mobile phone hacked via a breach in security from the service provider had changed her mind.
“My bank account was hacked and several thousands of pounds stolen. I got it all back, but only after a lot of effort and it made me feel very vulnerable,” she said. “We all need to realise how valuable our personal data is and ensure it is as secure as it can be. As businesses, we need to protect customer data, too.”
Alex Goodier, who runs a business coaching and consultancy company, said a lot of smaller companies had approached GDPR with what she described as “ostrichitis”, hoping it would go away. “Some have not even made a token gesture towards compliance,” she added.
Colin Smith of Brachers solicitors was brought in by the chamber to provide answers to questions posed via a GDPR helpline. He said the first reaction by many people on hearing about the new law was “this is crazy” or “are you serious?” or “does this apply to me?” His concern was that when companies had made the first moves towards compliance they would metaphorically put the information in a drawer and forget about it.
“Businesses need to be aware what data they collect and why and what they do with the information. This should lead to a more efficient, more streamlined business model, if done correctly,” said Colin. He believed firms should also impose a “clear desk” policy, encouraging employees to get rid of paperwork and think carefully about every piece of data they collected and stored.
Colin feared many people would not believe in the importance of GDPR until a company received a large fine for non-compliance. One of the most likely sources was from a disgruntled employee who wanted to make trouble for his or her former bosses by reporting an alleged breach in the law. The ICO is duty bound to investigate any claims.
Alex agreed a disgruntled employee (or ex-employee) was a potential source of trouble, but so were competitors, who could claim there had been a breach of data security and the ICO had to be brought in. “The claim might be proved to have been false, but a fair bit of collateral damage would be done in the process – as well as the cost of challenging the claim and the additional hassle involved.”
David Morrison of solicitors Clarkson Wright and Jakes said: “GDPR has increased the risk of data breach complaints, even for relatively minor matters, as the public become more aware of their rights. It applies to large and small firms alike.”
Jacqueline said there are some companies who actually needed to consider employing a data protection officer, but said there was “a massive skills shortage”in this field. She said she had been shocked by the lack of security displayed by some firms in handling personal data, for instance accountants sending payslips, or other sensitive money laundering information, as simple attachments via email. “Businesses don’t understand that email is not a secure form of communication and they have clearly not carried out adequate risk assessments on their data.”
Charlotte Forsyth of Social Enterprise Kent, a training provider for businesses, said its GDPR preparation course had proved a best seller. “Many of our clients are in the health and social care sector. They deal with very sensitive personal information, including the names, addresses, disabilities and marital status of clients. The law says this must be safely stored until 2030.”
Paul said there were cases where this would extend to 2035, adding: “In the social sector it is quite difficult to store data securely. People’s circumstances change regularly.”
In closing, Jo asked the delegates what piece of advice about GDPR was the most important to pass on to businesses. Charlotte’s was “Yes, it does apply to you”. Paul’s was: “Think about what personally identifiable information means. Many hairdressers, taxi firms, pizza deliverers and so on do not believe they use data, but they do. Any advice given by professionals needs to be in a language understood by everyone. Ignoring GDPR is not going to help. You need to take your head from the sand. Small businesses WILL get hit by this, they need to take notice now.”
<a href=”http://www.southeastbusiness.com/assets/flipbook/2018/SEB0918/SEB09Aug18.html#p=28>Click here to read the full GDPR update